Has protonvpn responded to gdpr subject access requests and data deletion requests?
Executive summary
Proton has publicly positioned itself as GDPR‑compliant, publishing privacy updates and a no‑logs policy; its documentation says it stores only minimal account metadata (a last‑login timestamp) and that it refuses legal requests when it has no data to give [1] [2] [3]. Available sources document Proton’s written policies and transparency reporting but do not provide independent case‑level records showing how Proton handled individual GDPR subject‑access or deletion requests from users (available sources do not mention specific SAR/deletion case outcomes).
1. Proton’s public position: privacy by design and GDPR alignment
Proton frames itself as built around privacy and explicitly states support for GDPR and “privacy by design,” and it has published blog posts and policy pages explaining changes to be more explicit about data retention (for example, why it keeps a last‑login timestamp) and broader privacy commitments [1] [4] [5].
2. What Proton says it stores — and why that matters for SARs
Proton’s materials and third‑party reviews emphasize a strict no‑logs policy for VPN traffic and say the company only retains a single account timestamp (the most recent login) and no connection logs; this means there may be little or nothing to hand over in response to requests for browsing or connection data [3] [6] [5].
3. Transparency reporting and refusal of legal requests
Proton publishes a transparency report and warrant canary and states that official data requests “led nowhere,” with many requests refused because Proton had no logs to provide; the transparency reporting is presented as evidence that when requests arrive, Proton often cannot comply because the requested data is not stored [3] [7].
4. What the sources do not show — the gap on individual SARs and deletions
None of the provided sources include verifiable, case‑level examples of Proton processing GDPR subject access requests (SARs) or deletion requests from private users, nor do they publish metrics on the number and outcomes of SARs or data deletion requests. Available sources do not mention specific SAR/deletion case outcomes (available sources do not mention specific SAR/deletion case outcomes).
5. Third‑party corroboration and audits: partial support, not full proof
Independent reviewers and audit‑style coverage cite Proton’s no‑logs practices and GDPR compliance on paper, and some audits have reportedly confirmed the no‑logs claim — but those reports concern logging practices and infrastructure, not the administrative handling or timeliness of SARs and deletion requests [6] [8] [9].
6. Legal jurisdiction and enforcement context that shapes responses
Proton operates under Swiss law and highlights that it cannot comply with data requests without proper Swiss legal process; the company leverages this jurisdictional protection alongside GDPR compliance as part of its defence when responding to official requests [10] [3]. That jurisdictional posture affects how the company responds to government/legal demands, but the interaction with individual GDPR administrative rights (SARs/deletions) is not documented in the provided material.
7. Competing perspectives and implicit incentives
Proton’s messaging benefits from reinforcing privacy superiority; transparency reports and policy pages serve both legal‑compliance and marketing functions. Independent sites and VPN reviewers largely echo Proton’s claims but also observe that concrete SAR handling performance (speed, completeness, dispute resolution) is not publicly audited in these sources [11] [12] [6].
8. Practical takeaway for users and what to ask next
The documentation and transparency reports show Proton's commitment to minimal retention and public refusal of requests when no data exists [3] [1]. However, if you need proof that Proton reliably answers GDPR subject access or deletion requests for individual accounts, the current sources do not supply case examples or metrics — ask Proton directly for: (a) their SAR/deletion request procedure, (b) anonymized statistics on SARs/deletions handled (counts, response times, outcomes), and (c) any third‑party audits covering administrative compliance with GDPR rights (available sources do not mention such administrative audit details).
Limitations: This analysis relies solely on the supplied documents; they detail policy, audits about logging, and transparency reports but do not include documented user SAR/deletion case histories or aggregated SAR metrics (available sources do not mention specific SAR/deletion case outcomes).